Preventing users from Modifying Group Policy Settings

  • Section(s): Admin , Security
  • Published on May 30, 2006.
  • Last Modified on May 30, 2006.
  • Last Modified by Mitch Tulloch.
  • Rated 3.8 out of 5 based on 9 votes.
How to prevent users from modifying Group Policy.

Group Policy is the administrator's friend as it lets you lock down security, desktop and user settings on user's machines and for user accounts. Unfortuantely in some scenarios admins grant desktop users local admin privileges on their machines, either due to application compatibility issues or for specific power needs. And being a local admin on your machine means you can undo many Group Policy settings targeting your machine simply by editing the registry directly.

How can you prevent local admin users from doing this? You can't actually, but you can force Group Policy settings to be reapplied to target computers even when the actual settings within a GPO haven't changed. To do this, open the following policy setting in your GPO:

Computer Configuration \ Administrative Templates \ System \ Group Policy \ Registry Policy Processing

Enable this policy setting and select the checkbox labeled "Process even if the Group Policy objects have not changed". What this will do is automatically re-apply the policy to the targeted computer during background refresh even though the GPO setting itself hasn't changed. This means that any registry changes to policy that the local user has made will get undone during background refresh, and hopefully if this happens frequently enough the user will get frustrated and stop trying to circumvent policy.

This solution isn't perfect, so it should be augemented by mandating in your written security policy that users are not allowed to undo policy settings on their machine, even temporarily. In fact, the foundation for true network security is not technological setttings like these but a clear, comprehensive written security policy that is fairly but consistently enforced. That's because security is fundamentally a human problem, not a machine one.

Cheers,
Mitch Tulloch
MVP Windows Server
http://www.mtit.com

 

About Mitch Tulloch

Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is the book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. Mitch was also the author of Introducing Windows Server 2008 and technical project lead for the Microsoft Office Communications Server 2007 Resource Kit, both books also from Microsoft Press. For more information on these and other books by Mitch, see www.mtit.com .

Share this article


Article not looking right or info is missing? Let us know so that we can fix it: .


Receive all the latest articles by email!

Receive Real-Time & Monthly WindowsNetworking.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowsNetworking.com member!

Discuss your network issues with thousands of other network administrators. Click here to join!

Community Area

Log in | Register

Limited time offer!

SolarWinds screenshot

Subscribe to WindowsNetworking.com Newsletters today and get a free copy of the new SolarWinds Exchange Monitor!

Readers' Choice

Which is your preferred software-based Backup solution?